Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Reflection not working on Bridged network segment

    NAT
    1
    2
    310
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shoulders
      last edited by

      My Setup

      • OpenVPN TAP server (called BRIDGEDVPN) which is bridged to my LAN via a bridge (bridge0) which does not have an IP or an interface
      • I have added the 'allow DHCP rule' and 'Allow traffic on the brideged interface' rule on the BRIDGEDVPN interface.
      • I am connecting in remotely with a laptop over OpenVPN

      I used the official documentation:

      • https://docs.netgate.com/pfsense/en/latest/bridges/index.htm
      • https://docs.netgate.com/pfsense/en/latest/bridges/internal-networks.html

      What works

      • My openvpn clients get an IP from DHCP etc...
      • My devices on the OpenVPN client can talk to devices on my LAN
      • I can get the internet
      • I can talk to my router either by IP or by its FQDN
      • on my LAN, the devices can access my webserver via its FDQN because I have NAT Reflection on.
      • DNS on both segments seem correctly hijacked by my firewall DNS floating rules which are attached to the OpenVPN interface.
      • my webserver is fully available from the internet

      NAT Reflection is not working

      Devices on my OpenVPN client cannot:

      • I cannot access my webserver via its FQDN on my LAN network segment
      • Tracert gets no response from the pings and therefore no route

      What have I tried

      Lots of stuff but probably not well :(

      I have seen mentioned:

      • NAT might not work on these bridged segments but I am not sure if it refers to my bridge type
      • The official documentation mentions that using a static route might help
        For hosts behind the NAT/routed segment, NAT must occur as traffic exits toward the bridged systems so that the return traffic will come back to the firewall.
        For hosts on the bridged segment to reach hosts behind the NAT segment directly, a static route could be used on the bridged hosts or upstream gateway to send the “private” subnet traffic to the IP address of the firewall in the bridged network.
      • I tried adding an outbound NAT rule, not sure I did it right.

      Help required

      I have got this bridged network all working accept for the ability to see my webserver via FQDN which is a must.

      Does anyone know where I am going wrong?

      I can post more information if required

      Thanks

      Shoulders

      1 Reply Last reply Reply Quote 0
      • S
        shoulders
        last edited by

        The answer is yes and no.

        • No: If you only have 1 public IP address because your OpenVPN will be on the same Public IP as your assets such as a webserver.
        • Yes: If you have 2 Public IPs and the assets you are trying to access are not on the same public IP as your OpenVPN server.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.